[Samba] I can't get Win10 clients to sync time with the DC

Sérgio Basto sergio at serjux.com
Fri Nov 15 22:16:15 UTC 2019 

On Thu, 2019-11-14 at 19:54 +0100, Viktor Trojanovic via samba wrote:
> I'm running a Samba AD DC v4.9.9 with Windows 10 clients connected to
> it
> and just noticed that the clients are not synchronizing time with the
> server. I'm not sure why not.
> 
> My setup is a bit special in that the DC is running inside a
> (privileged)
> linux container. For that reason, it's not possible or necessary for
> the
> container to correct the system clock, this is done on the container
> host
> using ntp. But the DC should provide time to clients connected to the
> domain just as in a regular setup.
> 
> Naturally, I followed the guide in the wiki with the exception that I
> didn't set external servers to get time from. My ntp.conf looks like
> this
> (it really is called ntp.conf on Ubuntu, not ntpd.conf):
> 
> server 127.127.1.0
> fudge 127.127.1.0 stratum 1
> driftfile /var/lib/ntp/ntp.drift
> ntpsigndsocket /var/lib/samba/ntp_signd
> restrict -4 default kod notrap nomodify nopeer noquery limited mssntp
> restrict -6 default kod notrap nomodify nopeer noquery limited mssntp
> restrict 127.0.0.1
> restrict ::1
> tinker panic 0
> 
> I've checked and rechecked this configuration, I can't see an issue
> with
> it. And ntpd does seem to start properly:
> 
> Nov 14 16:58:45 DC1 ntpd[32172]: ntpd 4.2.8p10 at 1.3728-o (1): Starting
> Nov 14 16:58:45 DC1 ntpd[32172]: Command line: /usr/sbin/ntpd -p
> /var/run/ntpd.pid -g -u 111:118
> Nov 14 16:58:45 DC1 systemd[1]: Started Network Time Service.
> Nov 14 16:58:45 DC1 ntpd[32175]: proto: precision = 0.073 usec (-24)
> Nov 14 16:58:45 DC1 ntpd[32175]: MS-SNTP signd operations currently
> block
> ntpd degrading service to all clients.
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen and drop on 0 v6wildcard
> [::]:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen and drop on 1 v4wildcard
> 0.0.0.0:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 2 lo
> 127.0.0.1:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 3 eth0
> 192.168.1.2:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 4 lo [::1]:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 5 eth0
> [fe80::216:3eff:feb4:414e%10]:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listening on routing socket on fd
> #22 for
> interface updates
> 
> The command ntpq shows that the local clock is accepted to be
> authoritative:
> 
> root at DC1:~# ntpq -pn
>      remote           refid      st t when poll
> reach   delay   offset
>  jitter
> =====================================================================
> =========
> *127.127.1.0     .LOCL.           1
> l   30   64  377    0.000    0.000
> 0.000
> 
> On the Windows client, I can query the server alright:
> 
> C:\WINDOWS\system32>w32tm /monitor
> DC1.samdom.example.com *** PDC ***[192.168.1.2:123]:
>     ICMP: 0ms delay
>     NTP: +0.0000000s offset from DC1.samdom.example.com
>         RefID: (unknown) [0x00017F7F]
>         Stratum: 2
> 
> C:\WINDOWS\system32>w32tm /stripchart /computer:dc1 /dataonly
> /samples:5
> Tracking dc1 [192.168.1.2:123].
> Collecting 5 samples.
> The current time is 14.11.2019 19:39:49.
> 19:39:49, -02.9196934s
> 19:39:51, -02.9197052s
> 19:39:53, -02.9197256s
> 19:39:55, -02.9197882s
> 19:39:57, -02.9197818s
> 
> However, when I run w32tm /resync /rediscover, it complains that "The
> computer did not resync because no time data was available."

I got the same error when tried to switch from ntpd to chrony , I'd
like understand the root cause of this error  

Chrony is the default ntp on RedHat systems since 2011 [1] 


[1] 
https://fedoraproject.org/wiki/Features/ChronyDefaultNTP
> I tried so many things on the PC. Restarting the time service,
> unregistering the service and registering it again, checking that the
> time
> service is not configured by group or local policy (it is not),
> running
> w32tm /config /syncfromflags:domhier /update, and last but not least,
> rebooting to no end.
> 
> This is not on a laptop, this is happening on computers constantly
> connected to the host and therefore the DC via ethernet.
> 
> Oh, and before I forget, here is my smb.conf, though the AD is
> otherwise
> functioning without issues:
> 
> [global]
>         dns forwarder = 192.168.1.1
>         netbios name = DC1
>         realm = SAMDOM.EXAMPLE.COM
>         server role = active directory domain controller
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
> [netlogon]
>         path = /var/lib/samba/sysvol/samdom.example.com/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> I'd really appreciate a nudge in the right direction.
> 
> Viktor
-- 
Sérgio M. B.

More information about the samba mailing list